Rebol.org plugin question
[1/8] from: jasonic::nomadics::org at: 1-Sep-2004 12:04
What would it take to add a "run this script in browser" link/button on
Rebol.org ?
I am thinking probbaly quite a number of scripts can run be directly online,
expecially view/vid work.
Perhaps people submitting scripts could even add a 'rebplug' flag in their
header blocks to make it easy to maintain the site run plugin autolinks ?
- Jason
[2/8] from: SunandaDH:aol at: 1-Sep-2004 13:09
Hi Jason:
> What would it take to add a "run this script in browser" link/button on
> Rebol.org ?
Good question....It would take three things:
1. As you suggest, scripts in question would need to be flagged in their
Library header as
type: [... plugin ...]
so we'd know that they *could* be executed in a browser. That's explained
here:
http://www.rebol.org/cgi-bin/cgiwrap/rebol/boiler.r?display=terms.html
and here:
http://www.rebol.org/cgi-bin/cgiwrap/rebol/one-click-submission-help.r?help=ty
pe
2.The view-script and search CGIs at REBOL.org would need to spot the type of
plugin and offer a "run as plugin" link in addition to the view and download
options they offer now.
That's technically fairly simple, but has not been done -- just a matter of
getting the object tag right as explained in:
http://www.rebol.net/plugin/tests/plugin-guide.html#section-4.1
3. The Library team would need to be persuaded that (2) is a safe and
worthwhile thing to do:
-- safety -- I've not looked into the issues. I'm appreciate some responses
here from anyone who has.
-- worthwhile -- seems little point in doing (2) while no one has yet
contributed a script that is flagged as a plugin (or updated their earlier scripts to
say that they are pluginable).....Of course, I appreciate that that is
partially a chicken and roundabouts situation: why should anyone do (1) when we
haven't done (2)?
I guess the way to break that impasse is for people to contribute plugin
scripts, and then the Library team has to play catch-up.
Sunanda.
[3/8] from: tomc::darkwing::uoregon::edu at: 1-Sep-2004 10:11
there is the whole only works on XP with IE or latest firefox with
ActivX plugin that would have to be spelled out
On Wed, 1 Sep 2004, Jason Cunliffe wrote:
[4/8] from: jasonic::nomadics::org at: 1-Sep-2004 16:02
Sunanda
Thanks for your comments..
-- Security --
My understanding was that the Rebol plug-in already sandboxes Rebol scripts
in the browser from doing damage, just as flash does -
i.e. locks one out of the file system.
Please can anyone clarify this?
-- Catch-22:Chicken-Egg --
Yes I appreciate your 'If they come, we will play' approach.
I'll bet though that there are many small View scripts already on Rebol.org
which would run as is.
must be all kinds of small demos and technique how-to examples.
I suppose a script could parse though looking for 'show view layout' etc and
try to run them in the browser.
A fast hack to explore scope of the existing possibilities and hope to
encourage future ones.
-- Platform --
Re: Tom's comment about needing XP: IE and Firefox installation caveats..
Yes true.
But that should not be an obstacle. XP and IE are incredibly popular, like
them or not. Firefox improves thinking people's attitude/experience of XP.
More exposure for rebol is a good thing (tm)
RT and community spent a lot of precious effort [at the expense partly of
new View] to get Plug-in released.
Therefore build upon that investment by making it as easy as possible to
use.
Does anyone have stats on browser platform access to Rebol.org for example?
How many people are in fact using XP : IE Firefox ?
I see transparent access to rebol plug-in at rebol.org working like a nice
intro to Easy-Vid.
You know --> Display code snippets --> click text to run/view --> Smile and
go wow/aha :-)
-- Evangels--
My background argument as always is that Rebol needs better web exposure.
Rebol.org has increased the Google/Division visibility significantly.
There is a new generation of potential Rebolers who could be about to
discover Rebol.
Flash Actionscript programming while much more powerful, has also gotten
considerably more complicated and expensive for newbie's.
Rebol in the browser is a great mini-laboratory for kids to learn and play
with.
Jason
[5/8] from: hallvard::ystad::oops-as::no at: 2-Sep-2004 0:46
Hi
I want to reply to this, although I've only read the messages in the thread on rebol.org,
since I still do not receive any list emails.
This really is only bragging about my own little hobby project, so ignore if you wish.
The rix already offers the possibility tu use any rebol script found on the internet
as a plugin script. There are of course a few gotchas, like for instance the fact that
rix will plug in anything that has a valid rebol header. /Core scripts tend to be a bad
experience as a plugin script.
But if rebol.org should ever want to implement such a feature, I'll be happy to share
my rebol- and html-code. Se this URL for an example:
http://www.oops-as.no/rix?plugin=yes&url=http://www.oops-as.no/roy/rebol-scripts/prob.r
(this, by the way, crashes my firefox0.9.3 repeatedly! Try with IE)
Rix will look for "msie" in your user-agent string and only offer to plug in scripts
for IE. I'll change this to accept also Firefox. Soon.
HY
[6/8] from: SunandaDH::aol::com at: 2-Sep-2004 4:47
Tom:
> there is the whole only works on XP with IE or latest firefox with
> ActivX plugin that would have to be spelled out
Good point, thanks. If/when we provide a "run this script" link it'd have to
go to a page that explains that nothing may happen, and what to do if it does.
Jason:
> My understanding was that the Rebol plug-in already sandboxes Rebol scripts
> in the browser from doing damage, just as flash does -
> i.e. locks one out of the file system.
That's exactly the sort of question I'd like the answer to too. Is the
sandbox completely overriden when someone clicks "yes to all" to the security
message -- as it is in unplugged REBOL?
> I suppose a script could parse though looking for 'show view layout'
> etc and try to run them in the browser.
> A fast hack to explore scope of the existing possibilities and hope to
> encourage future ones.
Another possibility for a fast track is to enable plugin execution
only for named Library members. That way you and a few other brave REBOL
skirmishers could explore the issues while only risking your own machines. If
anyone wants to be part of a plugin beta team at REBOL.org, please let me
know your REBOL.org user-name.
> Does anyone have stats on browser platform access to Rebol.org
> for example?
> How many people are in fact using XP : IE Firefox ?
I got stats by the bucketload. But turning them into facts is not so easy.
Browsers spoof their identifies and there is no 100% way of knowing what they
really are.
Having said that, here's some stats for the whole of the month just gone,
August.
We executed 129,081 CGIs. Plus we served an unknown (because I haven't looked
it up) number of static pages (not that many: not much of the site is static).
Of those 129,081 CGIs, there were 1566 different user-agent identification
strings. From those we have to work out what the browsers might be. Here are
some actual UA id strings from August:
Mozilla/5.0 (compatible; Konqueror/3.1; FreeBSD)
Mozilla/5.0 (Windows NT 5.1; U) Opera 7.53 [en]
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7) Gecko/20040628
Firefox/0.9.1
Mozilla/5.0 (Macintosh; U; PPC; en-US; rv:1.2.1) Gecko/20021130
Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.6) Gecko/20040414 Epiphany/1.2.6
Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.4) Gecko/20030630 Galeon/1.3.8
Note that the major identity in all the examples is "Mozilla/5.0" while the
various sub-strings suggest a range of platforms and browsers.
474 12819 9.9% gecko
This means 474 different browsers identified themselves as "gecko" (i.e. had
gecko
somewhere in their UA id string. We executed 12,819 CGIs for them.
That's 9.9& of our total CGIs. Similarly:
777 26002 20.1% msie
163 6715 5.2% firefox
213 2492 1.9% linux
66 2760 2.1% mac os
18 1063 0.8% rebol (mainly automated services for downloading
packages and scripts)
13 47 0.0% amiga
(Note there is some double counting: "Mozilla/5.0 (X11; U; Linux i686; en-GB;
rv:1.4) Gecko/20030630 Galeon/1.3.8" is both "linux" and "gecko"
It is also not easy to turn these figures into counts of *human* visitors.
Approximately half the total visits are from bots, so that "9.9% Gecko" is
probably closer to "20% human visitors using Gecko" .
One conclusion you can draw is that REBOL.org attracts an above-average
number of non-IE users. That's probably not a surprise.
If anyone wants the August UA list to do their own stats, please let me know
-- it's a 12K file.
Hallvard:
> But if rebol.org should ever want to implement such a feature,
> I'll be happy to share my rebol- and html-code.
Thanks we might take you up on that.......It's also another fast track way
for anyone who wants to start experimenting with running random scripts as
plugins.
Sunanda
[7/8] from: rebol-list2::seznam::cz at: 16-Sep-2004 0:44
Hello Jason,
Wednesday, September 1, 2004, 10:02:23 PM, you wrote:
JC> Sunanda
JC> Thanks for your comments..
JC> -- Security --
JC> My understanding was that the Rebol plug-in already sandboxes Rebol scripts
JC> in the browser from doing damage, just as flash does -
JC> i.e. locks one out of the file system.
JC> Please can anyone clarify this?
I think there are still some issues as you can work with ports without
user permissions so for example someone can make a script which will attack
other pages or spam anybody and user don't need to know that something
is happening - if he's not using some firewall (which is necessary
these days)
But such a attacks can be done from flash as well (except spaming of
course).
Best regards,
rebOldes -----------------[ http://oldes.multimedia.cz/ ]
[8/8] from: SunandaDH::aol::com at: 20-Sep-2004 11:07
Oldes:
> I think there are still some issues as you can work with ports without
> user permissions so for example someone can make a script which will attack
> other pages or spam anybody and user don't need to know that something
> is happening -
Thanks for that.....That was my understanding too.
Which is partially why we've been cautious in implementing the plugin at
REBOL.org.....It would be too simple for someone to upload a malicious script
which is then just a naive IE click away from doing some damage.
I've just uploaded what should be the final stage of implementing the plugin
**safely** at REBOL.org. Our "security model" is two-phase:
1. Any Library member can upload a script and mark it as "plugin". We will
allow the owner to run it under the plugin but not others.
2. A member of the "plugin posse" checks the script for malicious intent. If
they don't find anything, they will flag the script as okay for the plugin.
There are currently three scripts that are plugin enable -- they should all
appear on this list with a *Run* link enabled.
http://www.rebol.org/cgi-bin/cgiwrap/rebol/search.r?special-filter=recent
There would be many more, but we're still waiting for script owners to update
their scripts to say that they are plugin-ready:
http://www.rebol.org/cgi-bin/cgiwrap/rebol/ml-display-message.r?m=rmlHVHC
If you'd like to be on the plugin posse, please let me know.
Sunanda